Received: by 10.192.165.148 with SMTP id m20csp1718291imm; Thu, 3 May 2018 04:25:04 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoOsGg13dvWFdLrQFP4JKZ+dk6BJwhF71b+6j2u5iJSMCc7/mKbbbhUuN/31IFuxFu+42QU X-Received: by 2002:a65:4309:: with SMTP id j9-v6mr18660647pgq.375.1525346704069; Thu, 03 May 2018 04:25:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525346704; cv=none; d=google.com; s=arc-20160816; b=JZD6IX+ap9y+gxu5kbR37i1geicfMrZzYoS+N/dvfN1QTZ2UuL0herd4bhoql+YNqh CugFLNqcXPrtfNia0MBG5VSU1gRHGKMdjjZF+MlJ2AFuq9MhdD6oOg9pdMTkuFMES/sv SPvsyJ7jRssf8iOSj65TKTMdlGxRjNUUO6I9w8sCA7iVyLnOnER3g8mprCcSEKMwXVXh gxDrDqg+S9O5FjZWg8TbZmhzG2NAVkc7VpOci/VGckrxJzEiOgTOWR5SpIVm4iRvjmkD lbsUsj947MOH9dsGAXbOjETtbiScsG3L1SrGdTpEYIJ77dAmJwsXKZTNy9RFvINvHDU1 il/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=5Ip9dKaeQfyLkF00dcdfSoYbkAhH2b92Clg3KguBs+U=; b=n5ZzNaflQ36w+78b483GOjdhDaLi/RnWiUSKSXgaQLfgal0LtajP707PQYcCKAYsJ3 F4Rn6nXFcMyvXdCub6+rK6qmUVkVQG/xrOsUjTDGR+aDHEYFe0/3NCv5+E0av/Alf+RB sFugTCZzhkM4tTA/UjBRB6ala8/ZqX8TsKNCrmSA+QgjnSTeDQrsIFrmkHP23N4do1RD xETyHCm9868OIy6G7J3rwQwSdbKkp0E3jgDtQTkB5LCgIxSkR1YKIMuqq0xnrGILpzpN fogm/A9uBLnoGtGQOEP7tegT1/BmhBND1Lvz/a/UkyuYAenulZmDp+jXM5pQrsxHRY0y Qtxw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d21-v6si12924966pll.460.2018.05.03.04.24.49; Thu, 03 May 2018 04:25:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751214AbeECLYf (ORCPT + 99 others); Thu, 3 May 2018 07:24:35 -0400 Received: from charlotte.tuxdriver.com ([70.61.120.58]:41683 "EHLO smtp.tuxdriver.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750993AbeECLYd (ORCPT ); Thu, 3 May 2018 07:24:33 -0400 Received: from cpe-2606-a000-111b-40b7-640c-26a-4e16-9225.dyn6.twc.com ([2606:a000:111b:40b7:640c:26a:4e16:9225] helo=localhost) by smtp.tuxdriver.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1fECLN-0003GW-Ia; Thu, 03 May 2018 07:24:21 -0400 Date: Thu, 3 May 2018 07:23:41 -0400 From: Neil Horman To: Wenwen Wang Cc: Marcelo Ricardo Leitner , Kangjie Lu , Vlad Yasevich , "David S. Miller" , "open list:SCTP PROTOCOL" , "open list:NETWORKING [GENERAL]" , open list Subject: Re: [PATCH] sctp: fix a potential missing-check bug Message-ID: <20180503112341.GA4220@hmswarspite.think-freely.org> References: <1525299165-27098-1-git-send-email-wang6495@umn.edu> <20180502232352.GJ5105@localhost.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.2 (2017-12-15) X-Spam-Score: -2.9 (--) X-Spam-Status: No Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 02, 2018 at 08:07:17PM -0500, Wenwen Wang wrote: > Hi Marcelo, > > I guess I worked on an old version of the kernel. I will re-submit the > patch. Sorry :( > You don't have to resubmit the patch, this isn't broken. As marcelo points out, a value of zero in this socket option is special, meaning set the fragmentation to whatever the pmtu is, which will always rest between the min and max segment lengths. Neil > Wenwen > > On Wed, May 2, 2018 at 6:23 PM, Marcelo Ricardo Leitner > wrote: > > Hi Wenwen, > > > > On Wed, May 02, 2018 at 05:12:45PM -0500, Wenwen Wang wrote: > >> In sctp_setsockopt_maxseg(), the integer 'val' is compared against min_len > >> and max_len to check whether it is in the appropriate range. If it is not, > >> an error code -EINVAL will be returned. This is enforced by a security > >> check. But, this check is only executed when 'val' is not 0. In fact, if > > > > Which makes sense, no? Especially if considering that 0 should be an > > allowed value as it turns off the user limit. > > > >> 'val' is 0, it will be assigned with a new value (if the return value of > >> the function sctp_id2assoc() is not 0) in the following execution. However, > >> this new value of 'val' is not checked before it is used to assigned to > > > > Which 'new value'? val is not set to something new during the > > function. It always contains the user supplied value. > > > >> asoc->user_frag. That means it is possible that the new value of 'val' > >> could be out of the expected range. This can cause security issues > >> such as buffer overflows, e.g., the new value of 'val' is used as an index > >> to access a buffer. > >> > >> This patch inserts a check for the new value of 'val' to see if it is in > >> the expected range. If it is not, an error code -EINVAL will be returned. > >> > >> Signed-off-by: Wenwen Wang > >> --- > >> net/sctp/socket.c | 21 ++++++++++----------- > >> 1 file changed, 10 insertions(+), 11 deletions(-) > >> > >> diff --git a/net/sctp/socket.c b/net/sctp/socket.c > >> index 80835ac..2beb601 100644 > >> --- a/net/sctp/socket.c > >> +++ b/net/sctp/socket.c > >> @@ -3212,6 +3212,7 @@ static int sctp_setsockopt_maxseg(struct sock *sk, char __user *optval, unsigned > >> struct sctp_af *af = sp->pf->af; > >> struct sctp_assoc_value params; > >> struct sctp_association *asoc; > >> + int min_len, max_len; > >> int val; > >> > >> if (optlen == sizeof(int)) { > >> @@ -3231,19 +3232,15 @@ static int sctp_setsockopt_maxseg(struct sock *sk, char __user *optval, unsigned > >> return -EINVAL; > >> } > >> > >> - if (val) { > >> - int min_len, max_len; > >> + min_len = SCTP_DEFAULT_MINSEGMENT - af->net_header_len; > >> + min_len -= af->ip_options_len(sk); > >> + min_len -= sizeof(struct sctphdr) + > >> + sizeof(struct sctp_data_chunk); > > > > On which tree did you base your patch on? Your patch lacks a tag so it > > defaults to net-next, and I reworked this section on current net-next > > and these MTU calculcations are now handled by sctp_mtu_payload(). > > > > But even for net tree, I don't understand which issue you're fixing > > here. Actually it seems to me that both codes seems to do the same > > thing. > > > >> > >> - min_len = SCTP_DEFAULT_MINSEGMENT - af->net_header_len; > >> - min_len -= af->ip_options_len(sk); > >> - min_len -= sizeof(struct sctphdr) + > >> - sizeof(struct sctp_data_chunk); > >> + max_len = SCTP_MAX_CHUNK_LEN - sizeof(struct sctp_data_chunk); > >> > >> - max_len = SCTP_MAX_CHUNK_LEN - sizeof(struct sctp_data_chunk); > >> - > >> - if (val < min_len || val > max_len) > >> - return -EINVAL; > >> - } > >> + if (val && (val < min_len || val > max_len)) > >> + return -EINVAL; > >> > >> asoc = sctp_id2assoc(sk, params.assoc_id); > >> if (asoc) { > >> @@ -3253,6 +3250,8 @@ static int sctp_setsockopt_maxseg(struct sock *sk, char __user *optval, unsigned > >> val -= sizeof(struct sctphdr) + > >> sctp_datachk_len(&asoc->stream); > >> } > >> + if (val < min_len || val > max_len) > >> + return -EINVAL; > >> asoc->user_frag = val; > >> asoc->frag_point = sctp_frag_point(asoc, asoc->pathmtu); > >> } else { > >> -- > >> 2.7.4 > >> > >> -- > >> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in > >> the body of a message to majordomo@vger.kernel.org > >> More majordomo info at http://vger.kernel.org/majordomo-info.html > >> >